API defender for endpoint bad request

asked 2023-01-19T09:26:56.0766667+00:00
Daniel 21 Reputation points

I am trying advanced hunting queries towards the endpoint "[https://api-eu.securitycenter.microsoft.com/api/advancedqueries/run"

The permissions, tokens and app permissions is already configured. The problem now is that some queries give me result back and some give HTTP 400 Bad request.

This query works:

$query = @"
DeviceProcessEvents
|where FileName =~ 'powershell.exe'
|limit 10
"@

These two doesn't work, I get HTTP 400 Bad request back

$query = @"
RegistryEvents | limit 10
"@
$query = @"
SecurityEvent
|where EventID in (4624, 4625)
|where AccountType == 'User'
|summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Amount = count() by LogonTypeName
|extend timestamp = StartTimeUtc
"@

So, what might be the problem? Is it granular permissions that enabled me to check "DeviceProcessEvents" but not "RegistryEvents?

Is it a license issue? We have Microsoft Defender for Endpoint Plan 2.

Is it some kind of syntax issue? I am just copy/pasting these queries from [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-full-sample-powershell?view=o365-worldwide and [https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcess_forWinHost.yaml and [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
663 questions
No comments
{count} votes

Accepted answer
  1. answered 2023-01-27T11:27:03.2566667+00:00
    Givary-MSFT 11,336 Reputation points Microsoft Employee

    @Daniel Apologies for the delay in reviewing this post, researched on your ask what I can notice is RegistryEvents or SecurityEvent do you have schema defined in your security portal, this query worked - DeviceProcessEvents for you because there is a table defined for the same, (https://security.microsoft.com) below is the screenshot from my portal, would recommend when you run these queries match the tables which within the schema section of your portal and see if this suggestion helps to answer your query.

    Reference:

    [https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-error-codes?view=o365-worldwide#:~:text=by%20angle%20brackets.-,Error%20codes,-Error%20code

    Understand the advanced hunting schema

    User's image

    Let me know if you have any further questions, feel free to post back.


0 additional answers

Sort by: Most helpful